From Fedora Project Wiki
No edit summary
Line 10: Line 10:
== Summary ==
== Summary ==


Back in the dawn of time, rpm grew the ability to check cryptographic signatures of a package. We've never used this during installation, because it was unclear where the root of trust would come from - there's no way to tell that the public keys are valid. This is filed in bugzilla <a href="https://bugzilla.redhat.com/show_bug.cgi?id=998">here</a>.
Back in the dawn of time, rpm grew the ability to check cryptographic signatures of a package. We've never used this during installation, because it was unclear where the root of trust would come from - there's no way to tell that the public keys are valid. This is filed in bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=998
That problem is now solvable.
That problem is now solvable.



Revision as of 20:26, 23 June 2012

DRAFT
This is just a DRAFT. We try and make sure the information here is up to date and correct, but please check before depending on it.


RPM Signature Checking During Installation

Summary

Back in the dawn of time, rpm grew the ability to check cryptographic signatures of a package. We've never used this during installation, because it was unclear where the root of trust would come from - there's no way to tell that the public keys are valid. This is filed in bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=998 That problem is now solvable.

Owner

  • Email: <your email address so we can contact you, invite you to meetings, etc.>

Current status

  • Targeted release: Fedora 19
  • Last updated: 23-Jun-2012
  • Percentage of completion: 20%


Detailed Description

Using the Secure Boot mechanism, we can make a UEFI binary, which for this discussion we'll call "Hello, World!", or "HW" for short. In that binary, we add an extra section that holds a list of public keys. We then get the binary signed with the UEFI signing service.

During installation, we verify the signature against the hardware keys. If the signature is invalid, we warn the user that something has gone horribly wrong. If it's valid, we extract the public keys from the binary using a simple tool, and we add them to the rpm database. We then run the anaconda transaction with keys in place.

Benefit to Fedora

No more risky installation from untrusted repositories.

Scope

  1. Write the small utility to generate the binary
  2. Write the small utility to verify the binary and extract the keys
  3. Get a new binary signed every time we change the signing keys.

How To Test

Standard installation should test that it's working. Invalid binaries are easily provided to test a negative cryptographic test.

User Experience

Substantially the same as current experience, but with a nice sense of security.

Dependencies

pesign will provide utilities for doing this which it doesn't have yet.

Contingency Plan

Contingency plan is current status quo.

Documentation

Not yet.

Release Notes

Comments and Discussion